[Help-gnutls] Checking hostname against certificate

Andrew McDonald andrew at mcdonald.org.uk
Mon Jan 28 20:29:36 CET 2002


On Mon, Jan 28, 2002 at 10:13:08AM +0200, Nikos Mavroyanopoulos wrote:
> On Sun, 27 Jan 2002 21:22:37 +0000 Andrew McDonald <andrew at mcdonald.org.uk> wrote:
>
> > (Actually, might something along these lines be useful to put into
> > libgnutls itself?)
> Well X.509 is a REALLY bloated protocol. There are a lot of things that
> we should handle. An X.509 certificate may even contain videos, photographs 
> and anything that can get an OID.

So I discovered on reading Peter Gutmann's X.509 Style Guide.

> For gnutls I intend to add only basic functionality required to work.
> (Hopefully there is aegypten, but I don't know how far it can go
> yet.)

Yes, this does seem more to belong in libksba since it is purely an
'X.509 thing' rather than doing any TLS.

> > gnutls_x509pki_extract_subject_dns_name doesn't seem to be working.
> > As far as I understand it, this should extract a DNS name from a
> > Subject Alternative Name X.509v3 extension (as described in RFC2549,
> > section 4.2.1.7).
> This function was never tested.. Please, send me the certificate that
> contains the dnsname, email extensions, so I can give it a test (and a fix).
> 
> > 2.5.29.17 is the OID for an AltName extension. How does
> > _gnutls_get_extension know you want the dNSName?
> it does not :)

Ah. Good. I was a bit worried that I couldn't see how it could possibly
do what it was supposed to. :-)

I've attached imapd.pem, a test certificate (since this is a test key
I've included the private part as well to give you maximum flexibility
in testing). This was generated from the attached imapd.cnf using the
command:
openssl req -new -x509 -days 365 -nodes -out imapd.pem -keyout
imapd.pem -config imapd.cnf

Regards,


Andrew
-- 
Andrew McDonald
E-mail: andrew at mcdonald.org.uk
http://www.mcdonald.org.uk/andrew/
-------------- next part --------------
-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQC/0ZV1yf22o0eSqWDXUztGb7peEiVq/XsUQcPs1PwmRmnVunJv
uaACB4a/8PYfixk9YpJYAHK/Ebwt/cacY0yt3lr08Yp5q9gRu5Xu+RGskRyZW5sf
eQWCghMZZZgfr+OX39Usme4HTfA5+Ta53wlHmERPoB9XMtOwyNxHZxeVgwIDAQAB
AoGAO00rHMg+tMkT5oaQ1uD3cVY3Ur/fa41EEMYoMT7DWX3pWFcU6++CRT5YbVys
aqIRQoYH4kb5MpLkD3/meBDG8mzHAtRWzC1Km86APwSllNWuF9EewyCjvxfb1jhl
qYHvflIWvYs4K7+UEDxc8AOebnaUGrStEMVp/r2DltitDTECQQDffGFexZnMo/o+
y/rad13nYP3kENE+IHHLBZPj9eGSGtREj5zrR+T+q1EgnbIBIQUZZTZL9Oupef/n
SqcyB9b7AkEA27nGfQdam7Wc8CjPu1VwmP4C231DVWErtWlAXTVNzTXKCwdM0VYA
pyLY/wtSvEeT93dpX/68HgFh15IAFEMVGQJAHScXeIpkPqqhSTHInlj12enwFKEQ
+n62+VnX6eO4Mhvn1q25NYPiXkowwgVwI++Pv7lRNOVVHH16oUw+tSsKowJBAKNG
vZSTLmWe42wjJ5qRtwY5W242+x4rAwvflpCs14+ydN0VI6Q7QGjyoEWF6Ik4t1+h
QJCw/qFdbZN/Tse/waECQQCXMNSZVjQwvVCWu98kH3SGywCQK6sbV4mn0tK+fKSx
1y0lxumvFxUAgfsAVrJ1caPXH2dJ5sbjlyu2h6UNSOnr
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIC9jCCAl+gAwIBAgIBADANBgkqhkiG9w0BAQQFADCBmDELMAkGA1UEBhMCVUsx
DzANBgNVBAgTBlN1cnJleTESMBAGA1UEBxMJQ3JhbmxlaWdoMRgwFgYDVQQKEw9t
Y2RvbmFsZC5vcmcudWsxFjAUBgNVBAsTDU1haWwgU2VydmljZXMxDTALBgNVBAMT
BGltYXAxIzAhBgkqhkiG9w0BCQEWFHJvb3RAbWNkb25hbGQub3JnLnVrMB4XDTAy
MDEyODE5MjA0N1oXDTAzMDEyODE5MjA0N1owgZgxCzAJBgNVBAYTAlVLMQ8wDQYD
VQQIEwZTdXJyZXkxEjAQBgNVBAcTCUNyYW5sZWlnaDEYMBYGA1UEChMPbWNkb25h
bGQub3JnLnVrMRYwFAYDVQQLEw1NYWlsIFNlcnZpY2VzMQ0wCwYDVQQDEwRpbWFw
MSMwIQYJKoZIhvcNAQkBFhRyb290QG1jZG9uYWxkLm9yZy51azCBnzANBgkqhkiG
9w0BAQEFAAOBjQAwgYkCgYEAv9GVdcn9tqNHkqlg11M7Rm+6XhIlav17FEHD7NT8
JkZp1bpyb7mgAgeGv/D2H4sZPWKSWAByvxG8Lf3GnGNMrd5a9PGKeavYEbuV7vkR
rJEcmVubH3kFgoITGWWYH6/jl9/VLJnuB03wOfk2ud8JR5hET6AfVzLTsMjcR2cX
lYMCAwEAAaNOMEwwEQYJYIZIAYb4QgEBBAQDAgZAMDcGA1UdEQQwMC6BFHJvb3RA
bWNkb25hbGQub3JnLnVrghZ3b21wb20ubWNkb25hbGQub3JnLnVrMA0GCSqGSIb3
DQEBBAUAA4GBACZEPj79xugPLUxuJ7u1TtSVErp9jjCABhngrpVONM7DskQOHLAr
x3j0CSyxQxhKSxaU9c5fnieJ2Ku40A5CXTg203VL29mmAs5KBWouvAZh+cTzKjBl
otBbGAxCX2hl0DIlc6ZbLh7ox4+eoNZTy5L60d2f8C3OGAt9RdJbRX9p
-----END CERTIFICATE-----
-------------- next part --------------

[ req ]
default_bits = 1024
encrypt_key = yes
distinguished_name = req_dn
x509_extensions = cert_type
prompt = no

[ req_dn ]
C=UK
ST=Surrey
L=Cranleigh
O=mcdonald.org.uk
OU=Mail Services
CN=imap
emailAddress=root at mcdonald.org.uk

[ cert_type ]
nsCertType = server
subjectAltName=email:copy,DNS:wompom.mcdonald.org.uk



More information about the Gnutls-help mailing list